authorizationPolicy resource type
Namespace: microsoft.graph
Important
APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported. To determine whether an API is available in v1.0, use the Version selector.
Represents a policy that can control Azure Active Directory authorization settings. It's a singleton that inherits from base policy type, and always exists for the tenant.
Methods
| Method | Return Type | Description |
|---|---|---|
| Get authorizationPolicy | authorizationPolicy | Read the authorizationPolicy object. |
| Update authorizationPolicy | None | Update the authorizationPolicy object. |
Properties
| Property | Type | Description |
|---|---|---|
| allowedToSignUpEmailBasedSubscriptions | Boolean | Indicates whether users can sign up for email based subscriptions. |
| allowedToUseSSPR | Boolean | Indicates whether the Self-Serve Password Reset feature can be used by users on the tenant. |
| allowEmailVerifiedUsersToJoinOrganization | Boolean | Indicates whether a user can join the tenant by email validation. |
| allowInvitesFrom | allowInvitesFrom | Indicates who can invite external users to the organization. Possible values are: none, adminsAndGuestInviters, adminsGuestInvitersAndAllMembers, everyone. everyone is the default setting for all cloud environments except US Government. See more in the table below. |
| allowUserConsentForRiskyApps | Boolean | Indicates whether user consent for risky apps is allowed. We recommend to keep this as false. |
| blockMsolPowerShell | Boolean | To disable the use of the MSOnline PowerShell module set this property to true. This will also disable user-based access to the legacy service endpoint used by the MSOnline PowerShell module. This does not affect Azure AD Connect or Microsoft Graph. |
| defaultUserRolePermissions | defaultUserRolePermissions | Specifies certain customizable permissions for default user role. |
| description | String | Description of this policy. |
| displayName | String | Display name for this policy. |
| enabledPreviewFeatures | String collection | List of features enabled for private preview on the tenant. |
| guestUserRoleId | Guid | Represents role templateId for the role that should be granted to guest user. Refer to List unifiedRoleDefinitions to find the list of available role templates. Currently following roles are supported: User (a0b1b346-4d3e-4e8b-98f8-753987be4970), Guest User (10dae51f-b6af-4016-8d66-8c2a99b929b3), and Restricted Guest User (2af84b1e-32c8-42b7-82bc-daa82404023b). |
| id | String | ID of the authorization policy. Required. Read-only. |
| permissionGrantPolicyIdsAssignedToDefaultUserRole | String collection | Indicates if user consent to apps is allowed, and if it is, which app consent policy (permissionGrantPolicy) governs the permission for users to grant consent. Values should be in the format managePermissionGrantsForSelf.{id}, where {id} is the id of a built-in or custom app consent policy. An empty list indicates user consent to apps is disabled. |
allowInvitesFrom values
| Member | Description |
|---|---|
| none | Prevent everyone, including admins, from inviting external users. Default setting for US Government. |
| adminsAndGuestInviters | Allow members of Global Administrators, User Administrators, and Guest Inviter roles to invite external users. |
| adminsGuestInvitersAndAllMembers | Allow the above admin roles and all other User role members to invite external users. |
| everyone | Allow everyone in the organization, including guest users, to invite external users. The default setting for all cloud environments except US Government. |
Relationships
None.
JSON representation
The following is a JSON representation of the resource.
{
"id": "String (identifier)",
"description": "String",
"displayName": "String",
"enabledPreviewFeatures": "[String]",
"guestUserRoleId": "Guid",
"allowUserConsentForRiskyApps": false,
"blockMsolPowerShell": true,
"defaultUserRolePermissions": {"@odata.type": "microsoft.graph.defaultUserRolePermissions"},
"allowedToUseSSPR": true,
"allowedToSignUpEmailBasedSubscriptions": true,
"allowEmailVerifiedUsersToJoinOrganization": true,
"allowInvitesFrom": "String",
"permissionGrantPolicyIdsAssignedToDefaultUserRole": "[String]"
}
Feedback
Submit and view feedback for